pkigen.sh

#!/bin/sh
CANAME="My Own Trusted Members CA"
CAORG="MyNetwork"
CACOUNTRY="IT"
SERVERNAME=yourserver.domain.net

# Build CA Keys + Cert
ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "C=${CACOUNTRY}, O=${CAORG}, CN=${CANAME}" --ca --outform pem > caCert.pem
echo "> Exporting CA keys"
openssl pkcs12 -export -inkey "caKey.pem" -in "caCert.pem" -name "${CANAME}" -certfile caCert.pem -caname "${CANAME}" -out "${CANAME}.p12"
#cp caCert.pem /etc/ipsec.d/cacerts/
#cp caKey.pem /etc/ipsec.d/private/

# Build Server Keys + Cert
ipsec pki --gen --outform pem > serverKey.pem
ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=${CACOUNTRY}, O=${CAORG}, CN=${SERVERNAME}" --san "${SERVERNAME}" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert.pem
echo "> Exporting server keys"
openssl pkcs12 -export -inkey "serverKey.pem" -in "serverCert.pem" -name "${SERVERNAME}" -certfile caCert.pem -caname "${CANAME}" -out "${SERVERNAME}.p12"
#cp serverCert.pem /etc/ipsec.d/certs/
#cp serverKey.pem /etc/ipsec.d/private/
rm serverKey.pem

# Build Client Keys + Cert
if [ ! -f caKey.pem ]
then
  echo "CA Keys not found!"
  HINT=$(ls | grep CA)
  read -p "Choose PKCS#12 to extract [$HINT]: " CA12
  [ -n "$CA12" ] || CA12="$HINT"
  openssl pkcs12 -in "${CA12}" -nocerts -nodes -out caKey.pem
fi
read -p "New client names: " NAMES
for CN in $NAMES
do
  ipsec pki --gen --outform pem > "${CN}_key.pem"
  ipsec pki --pub --in "${CN}_key.pem" | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=IT, O=LuMa, CN=$CN" --san "$CN" --flag clientAuth --outform pem > "${CN}_cert.pem"
  echo "> Exporting keys for ${CN}"
  openssl pkcs12 -export -inkey "${CN}_key.pem" -in "${CN}_cert.pem" -name "$CN" -certfile caCert.pem -caname "LuMa Trusted Members CA" -out "${CN}.p12"
  #cp "${CN}_cert.pem" /etc/ipsec.d/certs/
  #cp "${CN}_key.pem" /etc/ipsec.d/private/
  rm "${CN}_key.pem"
done

rm caKey.pem